[Dshield] New virus/remake of Win32.Rightu.A

Ruigrok van der Werven, Jeroen Jeroen.Ruigrok at t-mobile.nl
Fri Oct 31 11:09:43 GMT 2003


Gents,

we have a virus here which didn't get picked up by our McAfee virusscanner.

To those who want it, reply and I'll send you a copy.

What I discovered is that the executable has been packed with UPX or
likewise
packer.

Does anyone know of an unpacker which doesn't run the executable?

I've seen that it replaced netwatch.exe in C:\Windows with an UPX'd
executable and gets instantly started.  It is readily viewable in
taskmanager.

The email it uses to spread itself with is:

Hello Dear!,

Finally i've found possibility to right u, my lovely girl :) All our photos
which i've made at the beach (even when u're without ur bh:)) photos are
great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.
rmerrnwr

It seems to be classified by some people as the Win21.Rightu.A virus,
could this be a new strain?  Given the fact that it has been known since
July/August this year.

-- 
Jeroen Ruigrok van der Werven <jeroen.ruigrok at t-mobile.nl>
Systeem Specialist Unix, T-Mobile Netherlands B.V., Postbus 16272
2500 BG Den Haag | Tel: +31 - (0)6 - 2409 6844 | Fax: +31 - (0)6 - 1409 5852
A sadder and a wiser man, he rose the morrow morn.


N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer 

This e-mail and its contents are subject to a DISCLAIMER with important
RESERVATIONS: see http://www.t-mobile.nl/disclaimer 





More information about the list mailing list